Ransomware victim disclosure
← All victimsLabExpress / Garonit Pharma
Claimed by INC Ransom · listed 2 days ago
Status timeline
- Listed
Jun 2, 2026
Current state: Listed for ransom
At a glance
- Group
- INC Ransom
- Status
- Listed for ransom
- Country
- US
- Listed on leak site
- Jun 2, 2026
- Data size
- 200GB
About the victim
AI dossier — public-source company profileLabExpress and Garonit Pharma operate as a US-based pharmaceutical and laboratory services company under shared infrastructure. The two entities operate from a single Active Directory domain (LABEXPRESS1.local) with 65 computers and 142 user accounts, indicating a mid-sized operation.
- Industry
- Pharmaceutical / Laboratory Services
- Employees
- 142
Attack summary
Severity: high — Confirmed exfiltration of 200 GB from a pharmaceutical company including full Active Directory data, employee information, and internal business records. Pharmaceutical sector data carries significant sensitivity; employee PII and operational infrastructure exposure poses material risk.INC Ransom claims to have exfiltrated 200 GB of internal data from the combined LabExpress/Garonit Pharma infrastructure, including Active Directory dumps, file server contents, and cross-company records. The group has published proof files and threatened to make the data publicly available.
Data the group says was taken
AI dossier — extracted from the leak post- Active Directory domain data (65 computers, 142 user accounts, 98 groups, 11 OUs)
- File server contents
- Cross-company internal records
- Employee information
- Business infrastructure documentation
What the group claims
LabExpress and Garonit Pharma are US-based companies operating under a shared infrastructure including a single Active Directory domain (LABEXPRESS1.local), a shared file server, and extensive cross-company records. 200 GB of internal data was obtained.
The leak post
captured from the group's site```
{"type":true,"message":"Success: got announcements.","payload":{"length":714,"announcements":[{"_id":"6a1d7512d152110a6ac7b3d5","company":{"company_name":"Bradley%20law%20firm","country":"US","revenue":5800000},"categories":["Encrypted","AD%20Dump","Proof"],"description":["Bradley%20Law%20Personal%20Injury%20Lawyers%20is%20a%20law%20firm%20dedicated%20to%20representing%20clients%20who%20have%20suffered%20injuries%20due%20to%20accidents%2C%20medical%20malpractice%2C%20and%20other%20forms%20of%20negligence.%20With%20over%2030%20years%20of%20experience%2C%20they%20have%20successfully%20recovered%20more%20than%20%24100%20million%20in%20settlements%20and%20verdicts%20for%20their%20clients%20across%20Missouri%20and%20Illinois.%20Their%20services%20include%20free%20case%20consultations%20and%20a%20commitment%20to%20fight%20for%20maximum%20compensation%20on%20behalf%20of%20accident%20victims.%20The%20firm%20is%20known%20for%20its%20expertise%20in%20personal%20injury%20law%2C%20including%20vehicle%20accidents%2C%20workplace%20injuries%2C%20and%20wrongful%20death%20cases."],"logo":"6a1d7512d152110a6ac7b3cf","proof":["6a1d7512d152110a6ac7b3cc","6a1d7512d152110a6ac7b3cd","6a1d7512d152110a6…Data the group says was taken
- AD Dump
- Encrypted
- Stocks
- Active Directory data
- user accounts
- email/Exchange mailboxes
- file server data
Screenshot of the leak post
Sources
Source
Indexed 2 days agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.